Cisco Umbrella DNS¶
About¶
Cisco Umbrella offers flexible, cloud-delivered security. It combines multiple security functions into one solution, so you can extend data protection to devices, remote users, and distributed locations anywhere.
Product Details¶
Vendor URL: Cisco Umbrella DNS
Product Type: DNS Security
Product Tier: Tier I
Integration Method: Amazon S3 Bucket
Integration URL: Cisco Umbrella Integration - Cyderes Documentation
Parser Details¶
Log Format: Syslog (CSV)
Expected Normalization Rate: 100%
Data Label: UMBRELLA_DNS
UDM Fields:
| Log File Field | UDM Field |
|---|---|
| Cisco (static) | metadata.vendor_name |
| Umbrella DNS (static) | metadata.product_name |
| DNS request and response were made (static) | metadata.description |
| custom filter | principal.hostname |
| custom filter | principal.ip |
| custom filter | principal.nat_ip |
| custom filter | security_result.category_details |
| custom filter | security_result.action |
| custom filter | security_result.action_details |
| DNS (static) | network.application_protocol |
| custom filter | network.dns.questions.name |
| custom filter | network.dns.questions.type |
| custom filter | additional.fields |
| custom filter | about.labels |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| with network.dns.questions | NETWORK_DNS |
| missing network.dns.questions | GENERIC_EVENT |
Log Sample¶
"2023-02-28 15:18:40","hostname1","hostname1","10.10.0.1","30.30.30.3","Allowed","1 (A)","NOERROR","api.hostname.com.","Search Engines,Allow List,Search Engines and Portals","Roaming Computers","Roaming Computers","Allow List"
Sample Parsing¶
metadata.event_type = "NETWORK_DNS"
metadata.vendor_name = "Cisco"
metadata.product_name = "Umbrella DNS"
metadata.description = "DNS request and response were made."
additional.fields["dns_return_message"] = "NOERROR"
additional.fields["identities"] = "Roaming Computers"
principal.hostname = "hostname1"
principal.ip = "10.10.0.1"
principal.nat_ip = "30.30.30.3"
about.labels.key = "DNS Lookup Type"
about.labels.value = "A"
security_result.category_details = "Search Engines"
security_result.category_details = "Allow List"
security_result.category_details = "Search Engines and Portals"
security_result.action = "ALLOW"
security_result.action_details = "Allowed"
network.application_protocol = "DNS"
network.dns.questions.name = "api.hostname.com"
network.dns.questions.type = 1
Rules¶
Coming Soon